CN113517983B - Method and device for generating secure computing key and performing secure computing - Google Patents

Method and device for generating secure computing key and performing secure computing Download PDF

Info

Publication number
CN113517983B
CN113517983B CN202110551588.XA CN202110551588A CN113517983B CN 113517983 B CN113517983 B CN 113517983B CN 202110551588 A CN202110551588 A CN 202110551588A CN 113517983 B CN113517983 B CN 113517983B
Authority
CN
China
Prior art keywords
value
node
label
party
factor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110551588.XA
Other languages
Chinese (zh)
Other versions
CN113517983A (en
Inventor
黄章杰
马宝利
雷浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202110551588.XA priority Critical patent/CN113517983B/en
Publication of CN113517983A publication Critical patent/CN113517983A/en
Application granted granted Critical
Publication of CN113517983B publication Critical patent/CN113517983B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the specification provides a method and a device for generating a secure computation key and performing secure computation by combining two parties. The security computation described above uses a distributed point function that maps an integer α to a predetermined value β in a k-bit integer ring. Generating a binary tree by each of the two parties, and initializing a label value of a root node; performing label assignment on the binary tree layer by layer, wherein for each node of the j-th layer, a temporary label value is generated according to a father node of the node; then, the two parties determine the correction factors corresponding to the j-th layer based on the fragments of alpha through MPC; correcting the temporary label value by using a correction factor to obtain the label value of each node, wherein the correction is that: for a punctured node, the difference between the tag values of the two parties is constant, and the tag values of the two parties of the non-punctured node are the same. Then, each party determines an output correction value based on the leaf node tag value and the slice of β. Whereby each party generates a key comprising the tag value of the root node, the correction factor and the output correction value.

Description

Method and device for generating secure computing key and performing secure computing
Technical Field
One or more embodiments of the present disclosure relate to the field of data privacy security, and more particularly, to methods and apparatus for generating secure computing keys and performing secure computing.
Background
With the development of computer technology, machine learning has been applied to various technical fields for analyzing and processing various business data. The data required by machine learning often relates to a plurality of fields, for example, in a machine learning-based merchant classification analysis scene, an electronic payment platform has transaction flow data of merchants, an electronic commerce platform stores sales data of the merchants, and a banking institution has loan data of the merchants. Data often exists in the form of islands. Because of the problems of industry competition, data security, user privacy and the like, data integration faces great resistance, and training of a machine learning model by integrating data scattered on each platform is difficult to realize. Therefore, a way of multiparty joint training and business processing using machine learning models is proposed.
In the scenario of multiparty joint training and the use of machine learning models, protection and security of data privacy is a concern. For example, in a multipartite computing scenario, party a holds a feature matrix formed from user sample feature data to be processed, and party B holds a parameter matrix formed from model parameters of a data processing model. For each party to privacy data security, parties a and B need to implement secure matrix multiplication without exposing the respective matrix data. In other multiparty computing scenarios, there are other security computing needs.
In order to protect the privacy of data of each party in the multiparty computing process, a plurality of secure computing protocols are provided, and the secure computing protocols are applicable to different secure computing scenes. Most secure computing protocols require pre-generated data tuples for use in the computing process.
It is therefore desirable to provide improved schemes for more efficient and safer generation of data tuples for secure computing protocols, thereby improving the efficiency and security of multiparty computing.
Disclosure of Invention
One or more embodiments of the present disclosure describe a method and apparatus for generating a secure computation key by combining two parties, and performing secure computation based on the key, so as to implement secure computation of a distributed point function in a ring algebra structure that meets service requirements.
According to a first aspect, there is provided a method of generating a secure computation key jointly by two parties, the secure computation using a distributed point function for mapping a preset integer α to a predetermined value β in a k-bit integer ring; the preset integer alpha and the preset value beta are distributed in a fragmentation mode among two parties, wherein the two parties comprise a first party and a second party, and the method is executed by any one of the two parties and comprises the following steps:
generating a binary tree and initializing a label value of a root node;
Performing label assignment processing on the binary tree layer by layer, wherein the label assignment processing for the j-th layer comprises the following steps:
for each node of the j-th layer, generating a temporary label value of the node according to the label value of the parent node;
based on the temporary tag value and the preset integer alpha, determining a correction factor corresponding to the j-th layer through performing first security operation on corresponding data provided by the opposite side;
and correcting the temporary label value of each node by using the correction factors to obtain a first label value and a second label value of each node, so that: for a punctured node, the difference between second tag values obtained by a first party and a second party is a constant c, and for a non-punctured node, the first tag value and the second tag value of the two parties are correspondingly the same; the puncturing node is a node passing from a root node to a puncturing leaf node, and the puncturing leaf node is a leaf node with an index number corresponding to the preset integer alpha;
determining an output correction value by performing a second security calculation with corresponding data provided by the other party based on the first label value of each leaf node and the present slice of the predetermined value beta;
a calculation key is generated, which includes the tag value of the root node, correction factors for the respective layers, and the output correction value.
In one embodiment, the domain of the distributed point function is an integer ring comprising M elements; the leaf node layer of the binary tree includes at least M leaf nodes corresponding to the M elements.
According to one embodiment, initializing a label value of a root node specifically includes: randomly generating a first bit string as a first tag value of the root node; assigning a fixed value to a second label value of the root node according to the agreed mode; wherein the contract means ensures that the difference between the fixed value of the first party and the fixed value of the second party is the constant c.
According to one embodiment, the method for generating the temporary label value of the node specifically comprises the following steps: for any first node in the j-th layer, generating a corresponding pseudo-random value by using a pseudo-random generator according to a first label value of a father node of the first node, and taking the corresponding pseudo-random value as a temporary label value of the first node.
In one embodiment, determining the correction factor corresponding to the j-th layer specifically includes: summing temporary tag values of a left node and a right node of a j-th layer respectively to obtain a left sum value and a right sum value; and carrying out the first safety operation by using the left sum value, the right sum value and the preset integer alpha of the current fragment, and the corresponding sum value provided by the opposite side and the opposite side fragment of the preset integer alpha to obtain the correction factor corresponding to the j-th layer.
In one embodiment, the correction factors include a first label factor, a left label factor, and a right label factor; wherein: the first label factor indicates, on the other side of the punctured node, a difference between a sum of first party temporary label values and a sum of second party temporary label values; the left side label factor is determined based on a left side difference value and the side of the puncturing node, wherein the left side difference value is a difference value between the sum of temporary label values of the left side nodes of the first party and the sum of temporary label values of the left side nodes of the second party; the right side label factor is determined based on a right side difference value and a side on which the puncture node is located, the right side difference value being a difference value of a sum of first right side node temporary label values and a sum of second right side node temporary label values.
According to one embodiment, correcting the temporary label value of each node by using the correction factor specifically includes: for any first node in the j-th layer, correcting the temporary label value by using the second label value of the father node and the first label factor to obtain a first label value of the first node; and selecting a corresponding factor from the left label factor and the right label factor according to the side where the first node is located, and correcting the temporary label value by using the second label value of the father node and the selected corresponding factor to obtain the second label value of the first node.
According to one embodiment, determining the output correction value specifically includes: calculating the sum of first label values of all leaf nodes to be used as the label sum value of the method; and performing second safety calculation on the second partition by using the label and the value of the second partition and the label and the value of the opposite party and the preset value beta to obtain an output correction value, wherein the output correction value is equal to the result of subtracting the label and the value of the second party from the label and the value of the first party and subtracting the preset value beta from the label and the value of the second party.
According to a second aspect, there is provided a method of performing a security calculation using a distributed point function for mapping a preset integer α to a predetermined value β in a k-bit integer ring; the two parties include a first party and a second party, the method being performed by either of the two parties, comprising:
acquiring a computing key generated according to the method of the first aspect, wherein the computing key comprises a tag value of a root node, correction factors of various layers of a binary tree, and output correction values;
acquiring an input integer;
mapping the input integer to a target leaf node in a leaf node layer of the binary tree, and determining target nodes passing through each layer from a root node to the target leaf node;
Calculating the label value of each layer of target nodes layer by layer according to the label value of the root node and the correction factors of each layer until the first label value and the second label value of the target leaf node are determined;
and determining a current output fragment according to the first label value, the second label value and the output correction value of the target leaf node, wherein the current output fragment is used for being combined with an output fragment of the other party to serve as an output value of the distributed point function aiming at the input integer.
According to one embodiment, the method calculates the label value of each layer of target nodes layer by layer, specifically includes: for a target node in the j-th layer, generating a temporary label value of the target node according to the label value of a parent node of the target node; and correcting the temporary tag value of the target node by using the correction factor of the j-th layer to obtain a first tag value and a second tag value of the target node.
Further, in one embodiment, the correction factors include a first label factor, a left label factor, and a right label factor; correcting the temporary tag value of the target node by using the correction factor of the j-th layer specifically includes: correcting the temporary tag value by using the second tag value of the father node and the first tag factor to obtain a first tag value of the target node; and selecting a corresponding factor from the left label factor and the right label factor according to the side where the target node is located, and correcting the temporary label value by using the second label value of the father node and the selected corresponding factor to obtain the second label value of the target node.
In one example, when the either party is a first party, determining the present output shard includes: calculating the product of the second label value of the target leaf node and the output correction value, and determining the sum value of the first label value of the target leaf node and the product in the k-bit integer ring as the output fragment;
when any one party is a second party, determining the output fragment comprises the following steps: and calculating the product of the second label value of the target leaf node and the output correction value, and determining the opposite number of the first label value of the target leaf node and the sum value of the product in the k-bit integer ring as the output fragment.
According to a third aspect, there is provided an apparatus for generating a secure computation key jointly by two parties, the secure computation using a distributed point function for mapping a preset integer α to a predetermined value β in a k-bit integer ring; the preset integer alpha and the preset value beta are distributed in a fragmentation mode among two parties, the two parties comprise a first party and a second party, the device is deployed on any one of the two parties and comprises:
an initializing unit configured to generate a binary tree and initialize a tag value of a root node;
The label assignment unit is configured to perform label assignment processing on the binary tree layer by layer, and comprises the following steps:
the temporary label generating module is configured to generate a temporary label value of each node of the j-th layer according to the label value of the father node of the node;
the correction factor determining module is configured to determine a correction factor corresponding to the j-th layer by performing a first security operation on the corresponding data provided by the opposite party based on the temporary tag value and the current fragment of the preset integer alpha;
the label correction module is configured to correct the temporary label value of each node by using the correction factors to obtain a first label value and a second label value of each node, so that: for a punctured node, the difference between second tag values obtained by a first party and a second party is a constant c, and for a non-punctured node, the first tag value and the second tag value of the two parties are correspondingly the same; the puncturing node is a node passing from a root node to a puncturing leaf node, and the puncturing leaf node is a leaf node with an index number corresponding to the preset integer alpha;
an output correction determining unit configured to determine an output correction value by performing a second security calculation with corresponding data provided by the other party based on the first label value of each leaf node and the present patch of the predetermined value β;
And a key generation unit configured to generate a calculation key including a tag value of the root node, correction factors of the respective layers, and the output correction value.
According to a fourth aspect, there is provided an apparatus for performing a security calculation using a distributed point function for mapping a preset integer α to a predetermined value β in a k-bit integer ring; the two parties include a first party and a second party, and the device is deployed on either of the two parties and comprises:
a key acquisition unit configured to acquire the computation key generated by the apparatus according to claim 13, including a tag value of the root node, correction factors of respective layers of the binary tree, and output correction values;
an input acquisition unit configured to acquire an input integer;
a target node determining unit configured to map the input integer to a target leaf node in a leaf node layer of the binary tree, and determine a target node passing at each layer from a root node to a target leaf node;
the label value determining unit is configured to calculate label values of target nodes of all layers layer by layer according to the label values of the root node and correction factors of all layers until a first label value and a second label value of the target leaf node are determined;
And the output determining unit is configured to determine a current output patch according to the first label value, the second label value and the output correction value of the target leaf node, wherein the current output patch is used for being combined with an output patch of the other party and used as an output value of the distributed point function for the input integer.
According to a fifth aspect, there is provided a computing device comprising a memory and a processor, wherein the memory has executable code stored therein, the processor, when executing the executable code, implementing the method of the first or second aspect.
According to the method and the device provided by the embodiment of the specification, the first party and the second party jointly realize the distributed point function operation in the k-bit integer ring. In the offline stage, the two parties respectively construct binary trees with the same tree structure, and the two parties jointly determine the correction factors and correct the node label values by using the correction factors so as to ensure that the node labels of the two parties meet the following invariant relation: for non-punctured nodes, the label values of the two parties are equal; for the punctured node, the difference between the second partial tag values of the tag values obtained by the first and second parties, respectively, is constant. And each party obtains the key based on the label value of the root node, the correction factors of each layer and the output correction values. Based on the obtained secret key, the two parties can operate on the online input integer, so that the safe calculation based on the distributed point function is realized together. Such secure computation may generate output results in a k-bit integer ring that are needed for the business, which facilitates efficient execution of subsequent secure computation.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a schematic diagram of a secure computing scheme according to one embodiment;
FIG. 2 illustrates a flow diagram of a method for the joint generation of secure computing keys by two parties in one embodiment;
FIG. 3 shows a schematic diagram of a binary tree containing punctured nodes in one specific example;
FIG. 4 illustrates a method flow for security computation according to one embodiment;
FIG. 5 illustrates a target node schematic diagram in one particular example;
FIG. 6 illustrates an apparatus schematic diagram for generating secure computing keys, according to one embodiment;
FIG. 7 illustrates an apparatus schematic for conducting security calculations, according to one embodiment.
Detailed Description
The following describes the scheme provided in the present specification with reference to the drawings.
As mentioned above, for the purpose of enhancing security in privacy protection, various security computing protocols are proposed for implementing multiparty security modeling and prediction in different scenarios, so as to perform joint wind control and joint business prediction.
In particular, in a variety of scenarios where business predictions are performed in combination, it is a common computational task for both parties to calculate multiplications securely. Here, the multiplication is performed by multiplying a matrix by a matrix, multiplying a matrix by a vector, multiplying a number by a number, or multiplying a number. In the multiplication scenario of the two-party secure computation number and the sum, one party P0 has a e R, the other party P1 has b e R, and the two parties need to compute c=ab, so that the final P0 obtains c_0, the P1 obtains c_1, and c_0+c_1=c is satisfied, and neither party knows c. The a and b of the two parties can be private data, such as user sensitive information, parameters in a model needing confidentiality, and the like. Using the precomputed multiplication triples c can be efficiently calculated. The secure generation of the multiplication triplets by both parties may be implemented by the forgetfulness linear function computing (OLE) protocol.
The forgetfulness linear function computation OLE protocol, also known as the careless linear function computation protocol, is a secure two-party computation protocol that allows the receiving party (Alice) to obtain a linear combination of its holding secrets with respect to the sending party (Bob) data. Specifically, suppose Bob holds finite field elements u and v and Alice holds secret element x. Through this protocol, alice finally obtains a value w, satisfying w=ux+v. The security of the protocol ensures that Alice does not get any information about u and v and Bob does not get any information about x after the whole protocol is executed. By using OLE protocol, two parties can safely generate multiplication triples, for example, one party obtains (u 1, v1, w 1), the other party obtains (u 2, v2, w 2) and satisfies (u1+u2) × (v1+v2) = (w1+w2), thereby being convenient for the two parties to carry out safe multiplication operation on line.
Typically, the OLE protocol can be implemented by a distributed point function. The point functions and the distributed point functions are briefly described as follows.
Point function: let the definition domain of the function be I and the value domain be G. A point function is a special function defined in the above-mentioned definition and value fields, satisfying that there is one and only one point in the definition field maps to a fixed value in the value field, all other points in the definition field map to zero elements in the value field. More specifically, let f α,β (x) Is a point function, α ε I, β ε G, then:
distributed point function: in secure multiparty computing scenarios, sometimes a point function is commonly determined by two parties participating in a protocol, and neither party is fully aware of the specific definition of the point function (except for the public domain and value range). For example, in a secure multiparty computing scenario, for the point function f α,β (x) The method comprises the following steps I→g, both parties know only one slice of α and β (let α=α 01 P0 knows only alpha 0 P1 knows only alpha 1 The method comprises the steps of carrying out a first treatment on the surface of the Beta is similar), without knowing the complete alpha and beta, so that either party does not know the complete f α,β (x)。
On the other hand, in many secure computing platforms, the computation of data is based on a ring algebra structure. A ring is an algebraic structure which is common in cryptography, and a definition of a ring R includes three parts of a set of all elements in the ring, an addition operation and a multiplication operation, which satisfy the following conditions: (1) The collection and addition operation of all elements define a switching group, namely, the closure, the combination law, the inclusion unit element, the existence of an inverse element of each element and the interchangeability of the addition operation are satisfied; (2) The set of all elements and the multiplication operation define a half group, i.e. the closure is satisfied. (3) the multiplication operation satisfies the distribution law with respect to the addition operation. For example, the set Z of all integers and the commonly understood algebraic addition and multiplication form a loop.
It will be appreciated that in practice, for efficient computing purposes, the data in a computing platform is often in the form of a bit string of a fixed number, and thus, in many secure computing platforms, the computation of the data is based on a ring algebra structureProceeding, wherein all elements belong to [0,2 ] k ) I.e. not exceeding k bits, the addition operation is based on a pair 2 k And (5) taking a mould to obtain the product.
Although some schemes exist for implementing the OLE protocol by a distributed point function, the results output by the existing schemes often cannot meet the ring algebra structure required by the secure computing platform, in particularAlgebraic structure. There is therefore a need for an improved solution that enables efficient calculation of the ring +.>The multiplication triplets in the rule, thereby efficiently performing multiparty security computation.
FIG. 1 illustrates a schematic diagram of a secure computing scheme, according to one embodiment. The secure computation involves a first party P0 and a second party P1, both of which need to jointly construct a distributed point function f α,β (x) The part isThe cloth-like point function is used for mapping the preset integer alpha into a ringIs a predetermined value beta. In advance, both sides each hold only one slice of the preset integer α and the predetermined value β, that is, the first side P0 holds (α 00 ) The second party P1 holds (α 11 ). In order to implement the operation of the distributed point function, in the preparation stage or the off-line stage, the two sides need to jointly calculate the key K required by function calculation 0 And K 1
Specifically, as shown in fig. 1, in the offline stage, both parties respectively construct binary trees with the same tree structure, and initialize the root node. The puncturing node is defined as all nodes on the path traversed by the binary tree from the root node to the last layer alpha-th leaf node. The specific position of the piercing node cannot be known by both parties; however, in the process of assigning the node labels in the tree layer by layer, the two parties determine the correction factors together through safety calculation, and the node labels of the tree of the two parties can be ensured to meet the following invariant relationship through correction of the correction factors: for non-punctured nodes, the label values of the two parties are equal; for the punctured node, the difference between the second partial tag values of the tag values obtained by the first and second parties, respectively, is constant. Both sides also obtain output correction values based on the leaf node tag values and the fragmentation of β. Then, each party P0 and P1 obtains the key K based on the label value of the root node, the correction factors of each layer and the output correction values 0 And K 1
Thus, during the online phase, both parties can determine the good key K using the offline phase 0 And K 1 And carrying out joint calculation of the distributed point functions. Specifically, the first party P0 and the second party P1 respectively receive the current input integer x, calculate the label value of the xth leaf node along the respective binary tree by using the respective secret key, and obtain respective output fragments V0 and V1 by using a convention mode according to the label value and the output correction value. The output correction value calculated in advance and the above-mentioned convention mode can ensure that if the input integer x is equal to alpha, the sum of the output fragments of the two parties is beta; if the input integer is notAnd if the sum is equal to alpha, the sum of the output fragments of the two parties is zero. In this way, a calculation of a distributed point function suitable for the ring structure is achieved.
The detailed implementation of the above inventive concept is described below.
FIG. 2 illustrates a flow diagram of a method for the joint generation of secure computing keys by two parties in one embodiment. It should be appreciated that the first party P0 and the second party P1 may be any entity that needs to perform security calculation, for example, the first party P0 is a bank or a payment platform that owns user privacy data, and the second party P1 is a model owner that owns trained model data; alternatively, the first party P0 and the second party P1 each possess partial privacy data and partial model data. Also, it should be appreciated that the first party and the second party may each be implemented by any device, apparatus, platform, cluster of devices having computing, processing capabilities.
The aforementioned security calculation is based on a distributed point function f α,β (x) Is defined as an integer ring Z and is defined as a k-bit integer ringThe function is used in particular for mapping a preset integer alpha in the defined domain to a predetermined value beta in the value domain, i.e./i>In advance, both sides each hold one slice of the preset integer α and the predetermined value β, i.e., the first side P0 holds (α 00 ) The second party P1 holds (α 11 ). Let a have n bits, denoted as a= (a) (1) …α (n) ) 2 Then the fragments of α held by both parties can also be written correspondingly: />
To generate the key for use in the secure computation, first, both parties each generate a binary tree and initialize the tag value of the root node, step 21.
The binary tree generated by both parties has a predeterminedThe same tree structure ensures that the leaf nodes of the binary tree can accommodate all the value possibilities in the distributed function definition domain. Specifically, assume that the domain of the distributed point function is an integer ring containing M elements; the leaf node layer of the binary tree includes at least M leaf nodes corresponding to the M elements. It can be assumed that the binary tree has n layers, then 2 n M or more. In one embodiment, at 2 n If the node is larger than M, pruning can be carried out on the tree structure, and nodes except the first M nodes in the leaf node layer are cut off; alternatively, nodes subsequent to the first M nodes may be set as null nodes.
Each node in the binary tree has a tag that is divided into two parts, a first tag s and a second tag t. Hereinafter, use ofIn the form of (a) denotes the tag values of the first and second tags, respectively, wherein the subscript b denotes the executive party, b=0 denotes the first party P0, b=1 denotes the second party P1, and the upper subscript denotes the j-th layer of the first node (j, l).
After the two parties generate the tree structure of the binary tree, label assignment is respectively carried out on the root nodes of the binary tree, namely, the label values of the root nodes are initialized. In order to ensure that the two-party trees have the invariant relation, for a root node, each party randomly generates a bit string as a first tag value of the root node; assigning the agreed fixed value to a second label value of the root node according to an agreed mode; the contract ensures that the difference between the fixed value of the first party and the fixed value of the second party is the constant c. Typically, the constant c takes a value of-1. The specific examples below are described in connection with the case of c= -1, after which the case of taking other values for c will be discussed.
Specifically, the process of initializing the root node tag value by both parties may proceed as follows.
The first party P0 selects the random bit string as the first label value of the root node Setting the second tag value toFixing string->The second party P1 selects the random bit string as the first label value of the root nodeAnd the second tag value is set to the fixed string +.>Wherein, lambda is a system preset parameter, and lambda is more than or equal to k. Typically, λ is greater than or equal to 128. It is obvious that for the root node, the first tag values of the two parties are independent of each other, and the second tag value satisfies the invariant relationship: t is t 0 -t 1 =-1。
Next, at step 22, the first and second parties perform tag assignment processing on their respective binary trees layer by layer. In the following, a specific process of label assignment will be described with reference to any j-th layer, j being any one layer from layer 1 (the root node is layer 0) to layer n.
First, in step 221, each party generates, for each node of the j-th layer, a temporary label value of the node according to the label value of its parent node. Specifically, for any node in the j-th layer, which is called a first node, a corresponding pseudo-random value is generated by using a contracted pseudo-random generator G according to a first tag value of a parent node of the first node, and is used as a temporary tag value of the first node.
More specifically, the first party P0 takes any ith node (j-1, i) of the j-1 layer as a father node, and the first label value thereof Applying a contracted pseudo-random generator G to obtain two random values, wherein the first random value is used as a temporary label value of a left child node (j, 2 i) and is temporarily assigned to a first label and a second label of the left child node; the second temporary label value is used as a temporary label value of the right child node and is temporarily assigned to the first label and the second label of the right child node. Namely:
wherein,,is according to->The first random value generated, which is also the temporary tag value of the left child node,is the second random value and is also the temporary tag value of the right child node.
In one specific example, the first tag value of the parent node is a lambda bit string. When a string of lambda bits is input to the above pseudo-random generator G, the algorithm outputs a pseudo-random string of 2 lambda bits. The 2 lambda bit string can be split into two lambda bit strings, which are used as temporary tag values for the left and right child nodes respectively. Thus, each node of the j-th layer has a temporary tag value.
The procedure for the second party P1 is similar:
thus, the first party and the second party each assign a temporary label value to each node of the j-th layer thereof.
Then, in step 222, the two parties determine the correction factor corresponding to the j-th layer together by performing the first security operation with the corresponding data provided by the other party based on the temporary tag value obtained by the two parties and the preset integer α.
For this purpose, each of the two parties sums the temporary tag values of the j-th layer left node and the j-th layer right node thereof to obtain a left sum value and a right sum value.
That is, the first party P0 calculates the left sum of the j-th layer thereofAnd right sum>
The second party P1 calculates the left sum value of the j-th layer thereofAnd right sum>
The first party then uses the self-calculated left sum valueRight side sum +.>And a first slice alpha of a preset integer alpha 0 The second party uses the left sum value calculated by itself +.>Right side sum +.>And a second segment alpha of a preset integer alpha 1 And (5) performing safety operation by the two parties to obtain the correction factor corresponding to the j-th layer.
Specifically, the correction factor includes a first label factor sigma j Left label factor τ j,0 And the right-hand tag factor τ j,1 It is defined as follows:
wherein alpha is (j) Is to write the predetermined integer α as an n-bit string α= (α) (1) …α (n) ) 2 When, wherein the j-th element.
When a leaf node in the leaf node layer having an index number corresponding to α is defined as a punctured leaf node, a path is formed in the binary tree from the root node to the punctured leaf node, which may be referred to as a punctured path, and all nodes that the punctured path takes or covers constitute punctured nodes, including the root node and the punctured leaf node. The above-mentioned n-bit string corresponding to the predetermined integer α indicates whether from the root node, to the left (corresponding to bit value 0) or right (corresponding to bit value 1) of each layer, the next layer is entered, and finally the puncturing path of the alpha-th leaf node is reached, and accordingly, alpha (j) It is understood that the j-th layer pierces the indication of the left and right sides of the node.
It can be seen that the first label factor sigma j Indicating that, on the other side of the piercing node (i.e) First party temporary markA difference between the sum of the signature values and the sum of the temporary signature values of the second party;
the left-hand tag factor tau j,0 Based on the left difference and the side alpha of the puncturing node (j) And determining that the left difference is the difference of the sum of the temporary tag values of the left nodes of the first party and the sum of the temporary tag values of the left nodes of the second party;
the right-hand tag factor τ j,1 Based on the right difference and the side alpha of the puncturing node (j) And determining that the right difference is the difference between the sum of the temporary tag values of the first right node and the sum of the temporary tag values of the second right node.
It should be noted that each of the first and second parties holds only a slice of α, and therefore, each party cannot know the exact position of each layer piercing node. However, based on the respective pieces of α held, and the left side sum value and the right side sum value, both can calculate the correction factor by the secure multiparty calculation MPC method. The secure multiparty computing MPC can ensure that both parties can obtain the computing result of the correction factor, but cannot acquire the original data of the other party or acquire the specific position information of the piercing node.
Then, in step 223, based on the commonly obtained correction factors, each of the two parties corrects the temporary tag value of each node by using the correction factors to obtain a first tag value and a second tag value of each node, so that: the difference between the second tag values obtained by the first and second parties respectively is a constant c for the punctured node, and the first tag value and the second tag value of the non-punctured node are the same.
Specifically, for any one node in the j-th layer, one of the two sides is marked as a first node i, and the temporary label value is corrected by using the second label value t of the father node and the first label factor sigma j to obtain a first label value of the first node; from the left side, according to the side of the first node i j,0 And the right-hand tag factor τ j,1 Selecting a corresponding factor, and correcting the temporary node by using the second label value t of the father node and the selected corresponding factorAnd obtaining a second label value of the first node by the label value.
In one specific example, the first party P0 corrects its first tag value by the following equation (4), and corrects its second tag value by the equation (5):
wherein,,indicating a rounding down, therefore, +. >Representing the parent node of the j-th layer i-th node,a second tag value representing the parent node. lsb (i) represents the lowest bit of i, which is equivalent here to the parity indicating the ith node, i.e., left and right indications. That is, if the ith node is located on the left side (lsb (i) =0), the left-side tag factor τ is selected j,0 Correction is performed, if the ith node is located on the right side (lsb (i) =1), the right-side tag factor τ is selected j,1 And (5) performing correction.
Similarly, the second party P1 corrects its first tag value by the following equation (6), and corrects its second tag value by the equation (7):
the following proves that the label values of all layers of nodes of the binary tree of the two parties can be ensured to meet the invariant relation through the correction of the correction factors: for a punctured node, the first tag values of the first party and the second party are independent, the difference between the second tag values is a constant-1, and for a non-punctured node, the first tag values and the second tag values of the two parties are corresponding to the same.
Fig. 3 shows a schematic diagram of a binary tree containing punctured nodes in one specific example. Wherein the punctured nodes are shown in gray.
As described above, the root node is also a puncturing node, and by initializing the root node label in step 21, it is obvious that, for the root node, the first label values of the two parties are independent from each other, and the second label value satisfies: t is t 0 -t 1 = -1. Therefore, level 0 of the binary tree, the root node level, satisfies the invariant relationship described above.
In the following we demonstrate that, in the case where the j-1 th layer has satisfied the above-described invariant relationship, the j-th layer necessarily satisfies the above-described invariant relationship by the above-described correction process.
In particular, the j-th level node may be divided into a regular node, a punctured node, and a "paired node" of the punctured node, where the "paired node" is a node that shares the same parent node with the punctured node. For example, in fig. 3, for j=2 layers, there are 4 nodes in total, numbered from 0 to 3,i =0 and 1 corresponding to regular nodes, i=2 corresponding to punctured nodes, and i=3 corresponding to paired nodes. For j=3 layers, there are 8 nodes, with node numbers from 0 to 7; where i=5 corresponds to a punctured node, i=4 corresponds to a paired node, and the other nodes are regular nodes. The following is a description of the examples in connection with fig. 3, respectively.
For regular node i, the parent node of the j-1 layer is necessarily also regular node, and since the j-1 layer has satisfied the invariant relationship, the label value of the first party and the second party for the parent node is the same. Thus, the temporary tag values generated by the first and second parties for the node i are the same; the correction methods of the formulas (4) and (5) and the formulas (6) and (7) are the same, and therefore, when the temporary tag value of the node i is the same and the second tag value of the parent node is the same, the obtained first tag value and second tag value are necessarily equal to each other.
If node i is a puncturing node, its parent node must be a puncturing node, so there are:
the difference between the second label values of the punctured nodes i obtained by the two parties can be calculated as follows:
when the punctured node i is a left side node, for example, the punctured node i=2 of j=2 layers; with lsb (i) =0, α (j) =0, then the above equation can continue to be written as:
the last step is to use the conventional nodes as the other nodes on the same side of the two parties, and the tag values of the conventional nodes are equal, so that,
when the punctured node i is a right-side node, for example, the punctured node i=5 of j=3 layers; with lsb (i) =1, α (j) =1, then the above equation can continue to be written as:
thus, for a punctured node i, there isNamely, the second label value of the first party and the second label of the second partyThe difference between the sign values is constant-1. The first tag values of both parties are independent of each other. />
If node i is a paired node, then it is not a punctured node itself, but its parent node is a punctured node, so there is:
then, after correction, the difference between the first label values of the paired nodes i obtained by the two parties can be calculated as follows:
wherein,,to puncture the opposite side of the node, i.e., the side of the paired node, the last equal sign is established.
The difference between the second label values of the paired nodes i obtained by the two parties can be calculated as follows:
when the paired node i is a left-side node, for example, paired node i=4 of j=3 layers; with lsb (i) =0, α (j) =1, then the above equation can continue to be written as:
when the paired node i is a right-side node, for example, paired node i=3 of j=2 layers; with lsb (i) =1, α (j) =0, then the above equation can continue to be written as:
therefore, for the paired node, the first tag value and the second tag value of both correspond to be equal.
It is proved that the label values of all the layers of nodes of the binary tree of the two parties meet the invariant relation through the correction of the correction factors: for a punctured node, the first tag values of the first party and the second party are independent, the difference between the second tag values is a constant-1, and for a non-punctured node, the first tag values and the second tag values of the two parties are corresponding to the same.
The above remarks are all made based on the constant c= -1. When the constant c takes other values, for example, c= -w, where w is a positive integer, the temporary tag value in the correction formulas (4) - (7) is simply multiplied by the coefficient w. For example, for party b, its tag value may be modified by:
it can be similarly verified that, through the above correction, the difference between the second tag values of the punctured nodes is constant-w in the binary tree of both sides, and the tag values of the non-punctured nodes are the same.
The above processes of determining the temporary tag value, determining the correction factor, and performing correction are performed layer by layer until the leaf node layer of the binary tree. Thus, each leaf node is also assigned a first tag value and a second tag value.
Returning to fig. 2, after the layer-by-layer execution of step 22, each of the first and second parties continues to execute step 23 to determine the output correction value γ by performing a second security calculation with the corresponding data provided by the other party based on the present slice of the first label value and the predetermined value β of the respective leaf node.
Specifically, a first party calculates the sum of first tag values of all leaf nodes as the tag sum value of the first party; the second party also calculates the sum of the first tag values of its respective leaf nodes as the tag sum value of the second party.Then, the first party uses the label and the value of the first party and the first slicing beta of the preset value beta 0 The second party uses the label and the value of the second party and the second fragment beta of the preset value 1 The two parties perform second safety calculation to obtain an output correction value gamma, so that the output correction value gamma is equal to the result of subtracting the label sum value of the second party from the label sum value of the first party and subtracting the preset value beta, namely:
Next, at step 24, each party generates a local computation key including the root node's tag value, the correction factors for the respective layers, and the output correction value γ.
Specifically, the first party generates a keySecond party generates key
In the above key form, since the second tag value of the root node is a preset fixed value, only the first tag value s of the root node is included in the key. In other examples, the second tag value of the root node may also be included in the key.
Thus, through the method flow illustrated in fig. 2 above, the first and second parties each generate a key for secure computation. The above-described process may be performed off-line during the preliminary stage. After the key is generated, both parties can make secure calculations for online input using the key.
FIG. 4 illustrates a method flow for security computation using a distributed point function f, according to one embodiment α,β (x) The function is used to map a preset integer α to a predetermined value β in a k-bit integer ring. Wherein, the preset integer alpha and the preset value beta are stored in the two parties in a fragmentation mode. Both parties comprise a first party and a second party, and all parties are communicated The key is generated by the method procedure of fig. 2. The specific procedure of the security calculation performed by both parties as shown in fig. 4 is described below. Each of the first and second parties may perform security calculations according to the flow of fig. 4.
At step 41, a computation key generated according to the method of FIG. 2 is obtained, including the tag value of the root node, the correction factors for the various levels of the binary tree, and the output correction values.
Specifically, the first party P0 obtains a pre-generated keyThe second party P1 obtains the pre-generated key +.>
In step 42, an input integer x is obtained. It is to be understood that the input integer x is an element in the definition field, i.e. the integer ring Z. Both the first party and the second party may obtain the input integer.
Then, at step 43, the parties map the input integer x to a target leaf node in the leaf node hierarchy of the binary tree and determine the target nodes passed at each level from the root node to the target leaf node.
As previously described, assuming that the domain integer ring of the distributed point function contains M elements, then the leaf node layer of the binary tree includes M leaf nodes corresponding to the M elements. In this manner, the current input integer x may be mapped to one of the M leaf nodes as the target leaf node. In the binary tree, each layer of nodes covered on the path from the root node to the target leaf node are all used as target nodes.
Fig. 5 illustrates a target node schematic diagram in one specific example. In fig. 5, the target node is shown with diagonal hatching. It can be seen that the target leaf node in the leaf node layer corresponds to the input integer x. And forming a target path from the root node to the target leaf node, wherein each node on the target path is the target node of each layer.
Then, in step 44, each of the first and second parties calculates, layer by layer, the label value of the target node of each layer based on the label value of the root node in the key and the correction factor of each layer until the first and second label values of the target leaf node are determined.
Specifically, for a target node in the j-th layer, each party may generate a temporary tag value of the target node according to the tag value of its parent node (the target node of the previous layer); and then, correcting the temporary tag value of the target node by using the correction factor of the j-th layer contained in the key to obtain a first tag value and a second tag value of the target node.
As shown in the key, the j-th layer correction factor includes a first label factor sigma j Left label factor τ j,0 And the right-hand tag factor τ j,1 The method comprises the steps of carrying out a first treatment on the surface of the The correction is performed as shown in the formulas (4) - (7) or (8) - (9), wherein the second label value and the first label sigma of the parent node are used j Correcting the temporary tag value to obtain a first tag value of the target node; and selecting a corresponding factor from the left label factor and the right label factor according to the side of the target node, and correcting the temporary label value by using the second label value of the father node and the selected corresponding factor to obtain the second label value of the target node.
Thus, starting from layer 1, calculating layer by layer until the leaf node layer, and determining a first label value and a second label value of the target leaf node.
Then, in step 45, each party determines the output slice according to the obtained first label value, second label value and output correction value gamma contained in the key of the target leaf node, and if the output slices of the two parties are combined, the output slice is equal to the output value of the distributed point function for the input integer x.
Specifically, in one embodiment, the first party P0 calculates a second tag value for the current target leaf node (node numbered x in the nth layer)Multiplying the first label value of the target leaf node by the output correction value gamma>The sum product is in a k-bit integer ring->Is determined as the first party output tile V0, i.e.: />
The second party P1 calculates a second label value of the target leaf node Multiplying the first label value of the target leaf node by the output correction value gamma>And said product is in a k-bit integer loop +.>The inverse of the sum of which is determined as the second party output slice V1, namely: />
It is conceivable that if the current input integer x +.alpha, then the target leaf node is not a puncture node, then the label values of both are equal,it is therefore apparent that v0+v1=0.
If the current input integer is exactly α, i.e., x=α, then the target leaf node is exactly the puncturing node, then there isThus the sum of the two shards can be written as: />
The last step uses the label values of two sides of other nodes except the punctured leaf node at the leaf node layer, so
In another embodiment, the invariant relationship between binary tree puncturing nodes in the process of generating the key is In this case, the first label value is multiplied by the coefficient w in V0 and V1.
Thus, according to the invariant relation of the label values of the nodes of the two sides in the binary tree in the key generation process, when the input integer x is not equal to the preset integer alpha, the sum of the fragments of the two sides is 0; when the input integer is equal to alpha, the sum of the fragments of the two parties is beta, so that the operation process of the distributed point function is realized.
In one embodiment, both parties directly slice the respective outputs as a result of the security computation. Specifically, the first party P0 will output the first output slice V0 and the second party will output the second output slice V1 as a result of the security calculation.
In another embodiment, both parties implement a distributed point function through respective output slices, and execute an OLE protocol through the distributed point function, thereby generating a data tuple for the multiplication triplet. In other words, both parties generate further security computed data tuples using respective output slices, thereby facilitating the further security computation, e.g., both party secure multiplications, etc. Various security computing protocols based on data tuples are widely used in privacy protection scenarios in conjunction with machine learning, and are not exemplified here.
In view of the above, in embodiments of the present description, the first party and the second party together implement a distributed point function operation in a k-bit integer ring. In the offline stage, the two parties respectively construct binary trees with the same tree structure, and the two parties jointly determine the correction factors and correct the node label values by using the correction factors so as to ensure that the node labels of the two parties meet the following invariant relation: for non-punctured nodes, the label values of the two parties are equal; for the punctured node, the difference between the second partial tag values of the tag values obtained by the first and second parties, respectively, is constant. And each party obtains the key based on the label value of the root node, the correction factors of each layer and the output correction values. Based on the obtained secret key, the two parties can operate on the online input integer, so that the safe calculation based on the distributed point function is realized together. Such secure computation may generate output results in a k-bit integer ring that are needed for the business, which facilitates efficient execution of subsequent secure computation.
According to an embodiment of another aspect, there is further provided an apparatus for generating a secure computation key by a combination of two parties, the secure computation using a distributed point function for mapping a preset integer α to a predetermined value β in a k-bit integer ring; the preset integer alpha and the preset value beta are distributed in a fragmentation form among two parties, wherein the two parties comprise a first party and a second party, and the first party and the second party can be realized as any device or platform with calculation and processing capabilities. FIG. 6 illustrates a schematic diagram of an apparatus for generating secure computing keys, which may be deployed in either of a first party and a second party, according to one embodiment. As shown in fig. 6, the apparatus 600 includes:
an initializing unit 61 configured to generate a binary tree and initialize a tag value of the root node;
a tag assignment unit 62, configured to perform a tag assignment process on the binary tree layer by layer, including:
a temporary label generating module 621 configured to generate, for each node of the j-th layer, a temporary label value of the node according to the label value of its parent node;
a correction factor determining module 622, configured to determine, based on the temporary tag value and the present slice of the preset integer α, a correction factor corresponding to the j-th layer by performing a first security operation with corresponding data provided by the other party;
A label correction module 623 configured to correct the temporary label value of each node using the correction factor to obtain a first label value and a second label value of each node, such that: for a punctured node, the difference between second tag values obtained by a first party and a second party is a constant c, and for a non-punctured node, the first tag value and the second tag value of the two parties are correspondingly the same; the puncturing node is a node passing from a root node to a puncturing leaf node, and the puncturing leaf node is a leaf node with an index number corresponding to the preset integer alpha;
an output correction determining unit 63 configured to determine an output correction value by performing a second security calculation with corresponding data provided by the other party based on the first label value of each leaf node and the present slice of the predetermined value β;
the key generation unit 64 is configured to generate a calculation key including the tag value of the root node, the correction factors of the respective layers, and the output correction values.
In one embodiment, the domain of the distributed point function is an integer ring comprising M elements; the leaf node layer of the binary tree includes at least M leaf nodes corresponding to the M elements.
According to one embodiment, the initialization unit 61 is specifically configured to: randomly generating a first bit string as a first tag value of the root node; assigning a fixed value to a second label value of the root node according to the agreed mode; wherein the contract means ensures that the difference between the fixed value of the first party and the fixed value of the second party is the constant c.
In one embodiment, the temporary tag generation module 621 is configured to: for any first node in the j-th layer, generating a corresponding pseudo-random value by using a pseudo-random generator according to a first label value of a father node of the first node, and taking the corresponding pseudo-random value as a temporary label value of the first node.
According to one embodiment, correction factor determination module 622 is specifically configured to: summing temporary tag values of a left node and a right node of a j-th layer respectively to obtain a left sum value and a right sum value; and carrying out the first safety operation by using the left sum value, the right sum value and the preset integer alpha of the current fragment, and the corresponding sum value provided by the opposite side and the opposite side fragment of the preset integer alpha to obtain the correction factor corresponding to the j-th layer.
In one embodiment, the correction factors include a first label factor, a left label factor, and a right label factor; wherein: a first label factor indicates, on the other side of the punctured node, a difference of a sum of first party temporary label values and a sum of second party temporary label values; the left side label factor is determined based on a left side difference value and the side of the puncturing node, wherein the left side difference value is a difference value between the sum of temporary label values of the left side nodes of the first party and the sum of temporary label values of the left side nodes of the second party; the right side label factor is determined based on a right side difference value and a side on which the puncture node is located, the right side difference value being a difference value of a sum of first right side node temporary label values and a sum of second right side node temporary label values.
According to one embodiment, the tag correction module 623 is configured to: for any first node in the j-th layer, correcting the temporary label value by using the second label value of the father node and the first label factor to obtain a first label value of the first node; and selecting a corresponding factor from the left label factor and the right label factor according to the side where the first node is located, and correcting the temporary label value by using the second label value of the father node and the selected corresponding factor to obtain the second label value of the first node.
In one embodiment, the output correction determination unit 63 is configured to: calculating the sum of first label values of all leaf nodes to be used as the label sum value of the method; and performing second safety calculation on the second partition by using the label and the value of the second partition and the label and the value of the opposite party and the preset value beta to obtain an output correction value, wherein the output correction value is equal to the result of subtracting the label and the value of the second party from the label and the value of the first party and subtracting the preset value beta from the label and the value of the second party.
According to an embodiment of a further aspect, there is also provided an apparatus for performing a security calculation using a distributed point function for mapping a preset integer α to a predetermined value β in a k-bit integer ring; the two parties include a first party and a second party, both of which may be implemented as any device or platform having computing, processing capabilities. FIG. 7 illustrates a schematic diagram of an apparatus for conducting security calculations, which may be deployed in either of a first party and a second party, according to one embodiment. As shown in fig. 7, the apparatus 700 includes:
A key acquisition unit 71 configured to acquire a calculation key including a tag value of a root node, correction factors of respective layers of a binary tree, and output correction values;
an input acquisition unit 72 configured to acquire an input integer;
a target node determining unit 73 configured to map the input integer to a target leaf node in a leaf node layer of the binary tree and determine a target node passing at each layer from a root node to a target leaf node;
a label value determining unit 74 configured to calculate label values of target nodes of respective layers layer by layer according to the label values of the root node and correction factors of respective layers until first and second label values of the target leaf node are determined;
an output determining unit 75 configured to determine, based on the first tag value, the second tag value, and the output correction value of the target leaf node, a present output patch for combination with an output patch of the other party as an output value of the distributed point function for the input integer.
According to one embodiment, the tag value determination unit 74 is configured to: for a target node in the j-th layer, generating a temporary label value of the target node according to the label value of a parent node of the target node; and correcting the temporary tag value of the target node by using the correction factor of the j-th layer to obtain a first tag value and a second tag value of the target node.
Further, in one embodiment, the correction factors include a first label factor, a left label factor, and a right label factor; accordingly, the tag value determination unit 74 is specifically configured to: correcting the temporary tag value by using the second tag value of the father node and the first tag factor to obtain a first tag value of the target node; and selecting a corresponding factor from the left label factor and the right label factor according to the side where the target node is located, and correcting the temporary label value by using the second label value of the father node and the selected corresponding factor to obtain the second label value of the target node.
According to a specific embodiment, when the apparatus 700 is deployed at the first party, the output determination unit 75 is configured to: calculating the product of the second label value of the target leaf node and the output correction value, and determining the sum value of the first label value of the target leaf node and the product in the k-bit integer ring as the output fragment;
when the apparatus 700 is deployed at the second party, the output determination unit 75 is configured to: and calculating the product of the second label value of the target leaf node and the output correction value, and determining the opposite number of the first label value of the target leaf node and the sum value of the product in the k-bit integer ring as the output fragment.
Through the device, the first party and the second party can jointly realize the security calculation based on the distributed point function, and the distributed point function can generate the result in the k-bit integer ring required by the service, so that the subsequent calculation can be efficiently performed, and the security of the private data is better protected.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 2 and 4.
According to an embodiment of yet another aspect, there is also provided a computing device including a memory having executable code stored therein and a processor that, when executing the executable code, implements the method described in connection with fig. 2 and 4.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.

Claims (25)

1. A method for generating a secure computation key by combining two parties, wherein the secure computation uses a distributed point function, and the function is used for mapping a preset integer alpha to a preset value beta in a k-bit integer ring; the preset integer alpha and the preset value beta are distributed in a fragmentation mode among two parties, wherein the two parties comprise a first party and a second party, and the method is executed by any one of the two parties and comprises the following steps:
generating a binary tree and initializing a label value of a root node;
performing label assignment processing on the binary tree layer by layer, wherein the label assignment processing for the j-th layer comprises the following steps:
for each node of the j-th layer, generating a temporary label value of the node according to the label value of the parent node;
based on the temporary tag value and the preset integer alpha, determining a correction factor corresponding to the j-th layer through performing first security operation on corresponding data provided by the opposite side;
And correcting the temporary label value of each node by using the correction factors to obtain a first label value and a second label value of each node, so that: for a punctured node, the difference between second tag values obtained by a first party and a second party is a constant c, and for a non-punctured node, the first tag value and the second tag value of the two parties are correspondingly the same; the puncturing node is a node passing from a root node to a puncturing leaf node, and the puncturing leaf node is a leaf node with an index number corresponding to the preset integer alpha; determining an output correction value by performing a second security calculation with corresponding data provided by the other party based on the first label value of each leaf node and the present slice of the predetermined value beta;
a calculation key is generated, which includes the tag value of the root node, correction factors for the respective layers, and the output correction value.
2. The method of claim 1, the domain of the distributed point function being an integer ring comprising M elements; the leaf node layer of the binary tree includes at least M leaf nodes corresponding to the M elements.
3. The method of claim 1, wherein initializing a tag value of a root node comprises:
randomly generating a first bit string as a first tag value of the root node;
Assigning a fixed value to a second label value of the root node according to the agreed mode;
wherein the contract means ensures that the difference between the fixed value of the first party and the fixed value of the second party is the constant c.
4. The method according to claim 1, wherein for each node of the j-th layer, generating a temporary label value of the node according to the label value of its parent node specifically comprises:
for any first node in the j-th layer, generating a corresponding pseudo-random value by using a pseudo-random generator according to a first label value of a father node of the first node, and taking the corresponding pseudo-random value as a temporary label value of the first node.
5. The method of claim 1, wherein determining the correction factor corresponding to the j-th layer comprises:
summing temporary tag values of a left node and a right node of a j-th layer respectively to obtain a left sum value and a right sum value;
and carrying out the first safety operation by using the left sum value, the right sum value and the preset integer alpha of the current fragment, and the corresponding sum value provided by the opposite side and the opposite side fragment of the preset integer alpha to obtain the correction factor corresponding to the j-th layer.
6. The method of claim 1 or 5, wherein the correction factors include a first labeling factor, a left labeling factor, and a right labeling factor; wherein:
The first label factor indicates, on the other side of the punctured node, a difference between a sum of first party temporary label values and a sum of second party temporary label values;
the left side label factor is determined based on a left side difference value and the side of the puncturing node, wherein the left side difference value is a difference value between the sum of temporary label values of the left side nodes of the first party and the sum of temporary label values of the left side nodes of the second party;
the right side label factor is determined based on a right side difference value and a side on which the puncture node is located, the right side difference value being a difference value of a sum of first right side node temporary label values and a sum of second right side node temporary label values.
7. The method of claim 6, wherein correcting the temporary label value for each node with the correction factor comprises:
for any first node in the j-th layer, correcting the temporary label value by using the second label value of the father node and the first label factor to obtain a first label value of the first node;
and selecting a corresponding factor from the left label factor and the right label factor according to the side where the first node is located, and correcting the temporary label value by using the second label value of the father node and the selected corresponding factor to obtain the second label value of the first node.
8. The method of claim 1, wherein determining the output correction value comprises:
calculating the sum of first label values of all leaf nodes to be used as the label sum value of the method;
and performing second safety calculation on the second partition by using the label and the value of the second partition and the label and the value of the opposite party and the preset value beta to obtain an output correction value, wherein the output correction value is equal to the result of subtracting the label and the value of the second party from the label and the value of the first party and subtracting the preset value beta from the label and the value of the second party.
9. A method of performing a security calculation using a distributed point function for mapping a preset integer α to a predetermined value β in a k-bit integer ring; the two parties include a first party and a second party, the method being performed by either of the two parties, comprising:
obtaining a computation key generated according to the method of claim 1, wherein the computation key comprises a tag value of a root node, correction factors of respective layers of a binary tree, and output correction values;
acquiring an input integer;
mapping the input integer to a target leaf node in a leaf node layer of the binary tree, and determining target nodes passing through each layer from a root node to the target leaf node;
Calculating the label value of each layer of target nodes layer by layer according to the label value of the root node and the correction factors of each layer until the first label value and the second label value of the target leaf node are determined;
and determining a current output fragment according to the first label value, the second label value and the output correction value of the target leaf node, wherein the current output fragment is used for being combined with an output fragment of the other party to serve as an output value of the distributed point function aiming at the input integer.
10. The method according to claim 9, wherein calculating the label value of the target node of each layer by layer according to the label value of the root node and the correction factors of each layer specifically comprises:
for a target node in the j-th layer, generating a temporary label value of the target node according to the label value of a parent node of the target node;
and correcting the temporary tag value of the target node by using the correction factor of the j-th layer to obtain a first tag value and a second tag value of the target node.
11. The method of claim 10, wherein the correction factors include a first labeling factor, a left labeling factor, and a right labeling factor;
correcting the temporary tag value of the target node using the correction factor of the j-th layer, including:
Correcting the temporary tag value by using the second tag value of the father node and the first tag factor to obtain a first tag value of the target node;
and selecting a corresponding factor from the left label factor and the right label factor according to the side where the target node is located, and correcting the temporary label value by using the second label value of the father node and the selected corresponding factor to obtain the second label value of the target node.
12. The method according to claim 9, wherein:
when any one of the parties is a first party, determining the output fragment comprises the following steps:
calculating the product of the second label value of the target leaf node and the output correction value, and determining the sum value of the first label value of the target leaf node and the product in the k-bit integer ring as the output fragment;
when any one party is a second party, determining the output fragment comprises the following steps:
and calculating the product of the second label value of the target leaf node and the output correction value, and determining the opposite number of the first label value of the target leaf node and the sum value of the product in the k-bit integer ring as the output fragment.
13. A device for generating a secure computation key by combining two parties, wherein the secure computation uses a distributed point function, and the function is used for mapping a preset integer alpha to a preset value beta in a k-bit integer ring; the preset integer alpha and the preset value beta are distributed in a fragmentation mode among two parties, the two parties comprise a first party and a second party, the device is deployed on any one of the two parties and comprises:
An initializing unit configured to generate a binary tree and initialize a tag value of a root node;
the label assignment unit is configured to perform label assignment processing on the binary tree layer by layer, and comprises the following steps:
the temporary label generating module is configured to generate a temporary label value of each node of the j-th layer according to the label value of the father node of the node;
the correction factor determining module is configured to determine a correction factor corresponding to the j-th layer by performing a first security operation on the corresponding data provided by the opposite party based on the temporary tag value and the current fragment of the preset integer alpha;
the label correction module is configured to correct the temporary label value of each node by using the correction factors to obtain a first label value and a second label value of each node, so that: for a punctured node, the difference between second tag values obtained by a first party and a second party is a constant c, and for a non-punctured node, the first tag value and the second tag value of the two parties are correspondingly the same; the puncturing node is a node passing from a root node to a puncturing leaf node, and the puncturing leaf node is a leaf node with an index number corresponding to the preset integer alpha;
an output correction determining unit configured to determine an output correction value by performing a second security calculation with corresponding data provided by the other party based on the first label value of each leaf node and the present patch of the predetermined value β;
And a key generation unit configured to generate a calculation key including a tag value of the root node, correction factors of the respective layers, and the output correction value.
14. The device of claim 13, a domain of the distributed point function being an integer ring comprising M elements; the leaf node layer of the binary tree includes at least M leaf nodes corresponding to the M elements.
15. The apparatus of claim 13, wherein the initialization unit is specifically configured to:
randomly generating a first bit string as a first tag value of the root node;
assigning a fixed value to a second label value of the root node according to the agreed mode;
wherein the contract means ensures that the difference between the fixed value of the first party and the fixed value of the second party is the constant c.
16. The apparatus of claim 13, wherein the temporary tag generation module is configured to:
for any first node in the j-th layer, generating a corresponding pseudo-random value by using a pseudo-random generator according to a first label value of a father node of the first node, and taking the corresponding pseudo-random value as a temporary label value of the first node.
17. The apparatus of claim 13, wherein the correction factor determination module is specifically configured to:
Summing temporary tag values of a left node and a right node of a j-th layer respectively to obtain a left sum value and a right sum value;
and carrying out the first safety operation by using the left sum value, the right sum value and the preset integer alpha of the current fragment, and the corresponding sum value provided by the opposite side and the opposite side fragment of the preset integer alpha to obtain the correction factor corresponding to the j-th layer.
18. The apparatus of claim 13 or 17, wherein the correction factors include a first label factor, a left label factor, and a right label factor; wherein:
the first label factor indicates, on the other side of the punctured node, a difference between a sum of first party temporary label values and a sum of second party temporary label values;
the left side label factor is determined based on a left side difference value and the side of the puncturing node, wherein the left side difference value is a difference value between the sum of temporary label values of the left side nodes of the first party and the sum of temporary label values of the left side nodes of the second party;
the right side label factor is determined based on a right side difference value and a side on which the puncture node is located, the right side difference value being a difference value of a sum of first right side node temporary label values and a sum of second right side node temporary label values.
19. The apparatus of claim 18, wherein the tag modification module is configured to:
for any first node in the j-th layer, correcting the temporary label value by using the second label value of the father node and the first label factor to obtain a first label value of the first node;
and selecting a corresponding factor from the left label factor and the right label factor according to the side where the first node is located, and correcting the temporary label value by using the second label value of the father node and the selected corresponding factor to obtain the second label value of the first node.
20. The apparatus of claim 13, wherein the output correction determination unit is configured to:
calculating the sum of first label values of all leaf nodes to be used as the label sum value of the method;
and performing second safety calculation on the second partition by using the label and the value of the second partition and the label and the value of the opposite party and the preset value beta to obtain an output correction value, wherein the output correction value is equal to the result of subtracting the label and the value of the second party from the label and the value of the first party and subtracting the preset value beta from the label and the value of the second party.
21. An apparatus for performing a security calculation using a distributed point function for mapping a preset integer α to a predetermined value β in a k-bit integer ring; the two parties include a first party and a second party, and the device is deployed on either of the two parties and comprises:
A key acquisition unit configured to acquire the computation key generated by the apparatus according to claim 13, including a tag value of the root node, correction factors of respective layers of the binary tree, and output correction values;
an input acquisition unit configured to acquire an input integer;
a target node determining unit configured to map the input integer to a target leaf node in a leaf node layer of the binary tree, and determine a target node passing at each layer from a root node to a target leaf node;
the label value determining unit is configured to calculate label values of target nodes of all layers layer by layer according to the label values of the root node and correction factors of all layers until a first label value and a second label value of the target leaf node are determined;
and the output determining unit is configured to determine a current output patch according to the first label value, the second label value and the output correction value of the target leaf node, wherein the current output patch is used for being combined with an output patch of the other party and used as an output value of the distributed point function for the input integer.
22. The apparatus of claim 21, wherein the tag value determination unit is configured to:
for a target node in the j-th layer, generating a temporary label value of the target node according to the label value of a parent node of the target node;
And correcting the temporary tag value of the target node by using the correction factor of the j-th layer to obtain a first tag value and a second tag value of the target node.
23. The apparatus of claim 22, wherein the correction factors comprise a first labeling factor, a left labeling factor, and a right labeling factor;
the tag value determination unit is specifically configured to:
correcting the temporary tag value by using the second tag value of the father node and the first tag factor to obtain a first tag value of the target node;
and selecting a corresponding factor from the left label factor and the right label factor according to the side where the target node is located, and correcting the temporary label value by using the second label value of the father node and the selected corresponding factor to obtain the second label value of the target node.
24. The apparatus of claim 21, wherein:
when the apparatus is disposed at the first party, the output determination unit is configured to: calculating the product of the second label value of the target leaf node and the output correction value, and determining the sum value of the first label value of the target leaf node and the product in the k-bit integer ring as the output fragment;
When the apparatus is deployed at the second party, the output determination unit is configured to: and calculating the product of the second label value of the target leaf node and the output correction value, and determining the opposite number of the first label value of the target leaf node and the sum value of the product in the k-bit integer ring as the output fragment.
25. A computing device comprising a memory and a processor, wherein the memory has executable code stored therein, which when executed by the processor, implements the method of any of claims 1-12.
CN202110551588.XA 2021-05-20 2021-05-20 Method and device for generating secure computing key and performing secure computing Active CN113517983B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110551588.XA CN113517983B (en) 2021-05-20 2021-05-20 Method and device for generating secure computing key and performing secure computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110551588.XA CN113517983B (en) 2021-05-20 2021-05-20 Method and device for generating secure computing key and performing secure computing

Publications (2)

Publication Number Publication Date
CN113517983A CN113517983A (en) 2021-10-19
CN113517983B true CN113517983B (en) 2023-10-20

Family

ID=78064985

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110551588.XA Active CN113517983B (en) 2021-05-20 2021-05-20 Method and device for generating secure computing key and performing secure computing

Country Status (1)

Country Link
CN (1) CN113517983B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015114871A1 (en) * 2014-01-30 2015-08-06 株式会社日立製作所 Key management device and key management method
CN106059768A (en) * 2016-05-30 2016-10-26 西安电子科技大学 Encryption system and method for resisting re-encryption key leakage and capable of cancelling attributes
CN107888380A (en) * 2017-10-30 2018-04-06 武汉大学 A kind of the RSA digital signature generation method and system of two sides distribution identity-based
CN111639367A (en) * 2020-07-31 2020-09-08 支付宝(杭州)信息技术有限公司 Tree model-based two-party combined classification method, device, equipment and medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9275096B2 (en) * 2012-01-17 2016-03-01 Apple Inc. Optimized b-tree

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015114871A1 (en) * 2014-01-30 2015-08-06 株式会社日立製作所 Key management device and key management method
CN106059768A (en) * 2016-05-30 2016-10-26 西安电子科技大学 Encryption system and method for resisting re-encryption key leakage and capable of cancelling attributes
CN107888380A (en) * 2017-10-30 2018-04-06 武汉大学 A kind of the RSA digital signature generation method and system of two sides distribution identity-based
CN111639367A (en) * 2020-07-31 2020-09-08 支付宝(杭州)信息技术有限公司 Tree model-based two-party combined classification method, device, equipment and medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
可证明安全的基于身份的认证密钥协商协议;高海英;;计算机研究与发展(08);全文 *
基于二叉树的非签名认证密钥协商协议;吴福生;张焕国;;计算机研究与发展(12);全文 *

Also Published As

Publication number Publication date
CN113517983A (en) 2021-10-19

Similar Documents

Publication Publication Date Title
CN111160573B (en) Method and device for protecting business prediction model of data privacy joint training by two parties
US11301571B2 (en) Neural-network training using secure data processing
CN112989368B (en) Method and device for processing private data by combining multiple parties
US9515828B2 (en) Sharing a secret via linear interpolation
Blanton et al. Secure and efficient outsourcing of sequence comparisons
CN110728375B (en) Method and device for training logistic regression model by combining multiple computing units
US7995765B2 (en) Sharing a secret using hyperplanes over GF(q)
CN113098687B (en) Method and device for generating data tuple of secure computing protocol
Hu et al. Secure outsourced computation of the characteristic polynomial and eigenvalues of matrix
CN113761469A (en) Highest bit carry calculation method for protecting data privacy
Krämer et al. Fault attacks on UOV and rainbow
CN109274504B (en) Multi-user big data storage sharing method and system based on cloud platform
CN113434886A (en) Method and device for jointly generating data tuples for security calculation
CN113517983B (en) Method and device for generating secure computing key and performing secure computing
US10333697B2 (en) Nondecreasing sequence determining device, method and program
JP6367959B2 (en) Partial character string position detection apparatus, partial character string position detection method, and program
Liao et al. Herb: Privacy-preserving random forest with partially homomorphic encryption
CN116417072A (en) Sensitive data security association analysis method and device based on secure multiparty calculation
CN116011015A (en) Privacy protection entity recognition tool based on secure multiparty computing technology
CN116388954A (en) General secret state data security calculation method
CN114547684A (en) Method and device for protecting multi-party joint training tree model of private data
Zhao et al. PPCNN: An efficient privacy‐preserving CNN training and inference framework
Kumar et al. Privacy preserving, verifiable and efficient outsourcing algorithm for regression analysis to a malicious cloud
CN106339975A (en) Digital image secret sharing method, restoration method and devices
US8364958B2 (en) Sharing a secret via linear interpolation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant